OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "content/child/webcrypto/platform_crypto.h" | 5 #include "content/child/webcrypto/platform_crypto.h" |
6 | 6 |
7 #include <cryptohi.h> | 7 #include <cryptohi.h> |
8 #include <pk11pub.h> | 8 #include <pk11pub.h> |
9 #include <sechash.h> | 9 #include <sechash.h> |
10 | 10 |
(...skipping 1116 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1127 return Status::ErrorInvalidAesKwDataLength(); | 1127 return Status::ErrorInvalidAesKwDataLength(); |
1128 | 1128 |
1129 SECItem iv_item = MakeSECItemForBuffer(CryptoData(kAesIv, sizeof(kAesIv))); | 1129 SECItem iv_item = MakeSECItemForBuffer(CryptoData(kAesIv, sizeof(kAesIv))); |
1130 crypto::ScopedSECItem param_item( | 1130 crypto::ScopedSECItem param_item( |
1131 PK11_ParamFromIV(CKM_NSS_AES_KEY_WRAP, &iv_item)); | 1131 PK11_ParamFromIV(CKM_NSS_AES_KEY_WRAP, &iv_item)); |
1132 if (!param_item) | 1132 if (!param_item) |
1133 return Status::ErrorUnexpected(); | 1133 return Status::ErrorUnexpected(); |
1134 | 1134 |
1135 const unsigned int output_length = input_length + 8; | 1135 const unsigned int output_length = input_length + 8; |
1136 *buffer = blink::WebArrayBuffer::create(output_length, 1); | 1136 *buffer = blink::WebArrayBuffer::create(output_length, 1); |
1137 unsigned char* buffer_data = reinterpret_cast<unsigned char*>(buffer->data()); | 1137 SECItem wrapped_key_item = MakeSECItemForBuffer(CryptoData(*buffer)); |
1138 SECItem wrapped_key_item = {siBuffer, buffer_data, output_length}; | |
1139 | 1138 |
1140 if (SECSuccess != PK11_WrapSymKey(CKM_NSS_AES_KEY_WRAP, | 1139 if (SECSuccess != PK11_WrapSymKey(CKM_NSS_AES_KEY_WRAP, |
1141 param_item.get(), | 1140 param_item.get(), |
1142 wrapping_key->key(), | 1141 wrapping_key->key(), |
1143 key->key(), | 1142 key->key(), |
1144 &wrapped_key_item)) { | 1143 &wrapped_key_item)) { |
1145 return Status::Error(); | 1144 return Status::Error(); |
1146 } | 1145 } |
1147 if (output_length != wrapped_key_item.len) | 1146 if (output_length != wrapped_key_item.len) |
1148 return Status::ErrorUnexpected(); | 1147 return Status::ErrorUnexpected(); |
(...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1196 return Status::ErrorUnexpected(); | 1195 return Status::ErrorUnexpected(); |
1197 | 1196 |
1198 *key = blink::WebCryptoKey::create(new SymKey(unwrapped_key.Pass()), | 1197 *key = blink::WebCryptoKey::create(new SymKey(unwrapped_key.Pass()), |
1199 blink::WebCryptoKeyTypeSecret, | 1198 blink::WebCryptoKeyTypeSecret, |
1200 extractable, | 1199 extractable, |
1201 key_algorithm, | 1200 key_algorithm, |
1202 usage_mask); | 1201 usage_mask); |
1203 return Status::Success(); | 1202 return Status::Success(); |
1204 } | 1203 } |
1205 | 1204 |
| 1205 Status WrapSymKeyRsaEs(PublicKey* wrapping_key, |
| 1206 SymKey* key, |
| 1207 blink::WebArrayBuffer* buffer) { |
| 1208 // Check the raw length of the key to be wrapped against the max size allowed |
| 1209 // by the RSA wrapping key. With PKCS#1 v1.5 padding used in this function, |
| 1210 // the maximum data length that can be encrypted is the wrapping_key's modulus |
| 1211 // byte length minus eleven bytes. |
| 1212 const unsigned int input_length_bytes = PK11_GetKeyLength(key->key()); |
| 1213 const unsigned int modulus_length_bytes = |
| 1214 SECKEY_PublicKeyStrength(wrapping_key->key()); |
| 1215 if (modulus_length_bytes < 11 || |
| 1216 modulus_length_bytes - 11 < input_length_bytes) |
| 1217 return Status::ErrorDataTooLarge(); |
| 1218 |
| 1219 *buffer = blink::WebArrayBuffer::create(modulus_length_bytes, 1); |
| 1220 SECItem wrapped_key_item = MakeSECItemForBuffer(CryptoData(*buffer)); |
| 1221 |
| 1222 if (SECSuccess != |
| 1223 PK11_PubWrapSymKey( |
| 1224 CKM_RSA_PKCS, wrapping_key->key(), key->key(), &wrapped_key_item)) { |
| 1225 return Status::Error(); |
| 1226 } |
| 1227 if (wrapped_key_item.len != modulus_length_bytes) |
| 1228 return Status::ErrorUnexpected(); |
| 1229 |
| 1230 return Status::Success(); |
| 1231 } |
| 1232 |
| 1233 Status UnwrapSymKeyRsaEs(const CryptoData& wrapped_key_data, |
| 1234 PrivateKey* wrapping_key, |
| 1235 const blink::WebCryptoAlgorithm& algorithm, |
| 1236 bool extractable, |
| 1237 blink::WebCryptoKeyUsageMask usage_mask, |
| 1238 blink::WebCryptoKey* key) { |
| 1239 |
| 1240 // Verify wrapped_key_data size does not exceed the modulus of the RSA key. |
| 1241 const int modulus_length_bytes = |
| 1242 PK11_GetPrivateModulusLen(wrapping_key->key()); |
| 1243 if (modulus_length_bytes <= 0) |
| 1244 return Status::ErrorUnexpected(); |
| 1245 if (wrapped_key_data.byte_length() > |
| 1246 static_cast<unsigned int>(modulus_length_bytes)) |
| 1247 return Status::ErrorDataTooLarge(); |
| 1248 |
| 1249 // Determine the proper NSS key properties from the input algorithm. |
| 1250 CK_MECHANISM_TYPE mechanism; |
| 1251 CK_FLAGS flags; |
| 1252 Status status = |
| 1253 WebCryptoAlgorithmToNssMechFlags(algorithm, &mechanism, &flags); |
| 1254 if (status.IsError()) |
| 1255 return status; |
| 1256 |
| 1257 SECItem wrapped_key_item = MakeSECItemForBuffer(wrapped_key_data); |
| 1258 |
| 1259 crypto::ScopedPK11SymKey unwrapped_key( |
| 1260 PK11_PubUnwrapSymKeyWithFlagsPerm(wrapping_key->key(), |
| 1261 &wrapped_key_item, |
| 1262 mechanism, |
| 1263 CKA_DECRYPT, |
| 1264 0, |
| 1265 flags, |
| 1266 false)); |
| 1267 if (!unwrapped_key) |
| 1268 return Status::Error(); |
| 1269 |
| 1270 const unsigned int key_length = PK11_GetKeyLength(unwrapped_key.get()); |
| 1271 |
| 1272 blink::WebCryptoKeyAlgorithm key_algorithm; |
| 1273 if (!CreateSecretKeyAlgorithm(algorithm, key_length, &key_algorithm)) |
| 1274 return Status::ErrorUnexpected(); |
| 1275 |
| 1276 *key = blink::WebCryptoKey::create(new SymKey(unwrapped_key.Pass()), |
| 1277 blink::WebCryptoKeyTypeSecret, |
| 1278 extractable, |
| 1279 key_algorithm, |
| 1280 usage_mask); |
| 1281 return Status::Success(); |
| 1282 } |
| 1283 |
1206 } // namespace platform | 1284 } // namespace platform |
1207 | 1285 |
1208 } // namespace webcrypto | 1286 } // namespace webcrypto |
1209 | 1287 |
1210 } // namespace content | 1288 } // namespace content |
OLD | NEW |